Hackers Are Using Leaked NSA Backdoors to Hack Tens of Thousands of Vulnerable Windows PCs

Rafia Shaikh
Shadow Brokers asa

Microsoft may have significantly downplayed the severity of NSA documents leaked by Shadow Brokers. Dumped last week, the documents exposed hacking tools used by the National Security Agency, many of them targeting Windows computers. Security experts now believe that tens of thousands of Windows systems may have been infected by a highly advanced NSA backdoor, also leaked last week in this dump.

Dubbed DoublePulsar, the hacking tool was used by a threat actor named "Equation Group," allegedly linked to the NSA. Only exposed a week ago, the tool has already been spotted in live attacks. Script kiddies and other online criminals have reportedly started exploiting this backdoor to compromise thousands of vulnerable Windows computers.

Related StoryDeals Editor
Black Friday Blockbusters: Save $599 on Surface Laptop 4

The Shadow Brokers' NSA leak had exposed a number of NSA-exclusive hacking tools targeting Windows XP, Windows Server 2003, Windows 7 and 8, and Windows 2012. Following the public exposure, Microsoft confirmed that many of the leaked exploits were patched by the company in its March Patch Tuesday update, just weeks before the leaks. Microsoft had also said that up-to-date systems aren't vulnerable to these hacking tools, which appears to be true.

Script kiddies reportedly using DoublePulsar NSA backdoor, leaked by Shadow Brokers

Several different groups of researchers scanning for the DoublePulsar backdoor saw a significant bump in the number of infected Windows PCs over the weekend. "DoublePulsar is the primary payload used in SMB [Server Message Block] and RDP [Remote Desktop Protocol] exploits in FuzzBunch," zerosum0x0 explained. "Analysis was performed using the EternalBlue SMBv1/SMBv2 exploit against Windows Server 2008 R2 SP1 x64."

DoublePulsar backdoor is used to inject and run malicious code on already infected systems. The multi-architecture SMB backdoor can avoid alerting anti-virus or other system defenses by not writing to the computers it infects. DoublePulsar also ensures that your infected systems remain open to future - and more intrusive - attacks. The backdoor is installed using the EternalBlue exploit that targets SMB file-sharing services on Windows XP, Server 2008 R2, and other systems, which is why an infected machine is required for this backdoor to work.

Dan Tentler, CEO of the Phobos Group, said that about 25 percent of all vulnerable and publicly exposed SMB machines are now infected. He revealed 33,468 systems were found to be infected among the scanned 1.17 million hosts.

"People [who] have gotten their hands on the tools just started exploiting hosts on the Internet as fast as they could," Tentler said. "On the part of Shadow Brokers, if their intention was to get mass infections to happen so their NSA zerodays got burned, the best is to release the tools [before] the weekend. DoublePulsar is a means to an end."

Security researchers from Errata Security detected roughly 41,000 infected machines, while researchers from Below0day detected more than 30,000 infected machines. Another security firm, Binary Edge, also performed a mass scan and detected more than 107,000 Windows computers infected with DoublePulsar, confirming that the number of compromised hosts is growing.

Microsoft, however, believes that the reports aren't accurate. "We doubt the accuracy of the reports and are investigating," the company spokesperson said. Windows users are advised to keep their machines updated and remember that while there is a possibility of inaccurate numbers, once infected, your system will be open to further attacks.

Deal of the Day